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Preface 


Initial  results  of  an  analysis  of  the  traffie  data  of  CyberSleuth  eaptured  in  the  Tactical  Internet 
laboratory  of  the  U.S.  Army  Communications-Electronics  Research,  Development,  and 
Engineering  Center  (CERDEC)  are  reported  in  this  document.  CyberSleuth  is  a  prototype  of  an 
adaptive  agent-based  vulnerability  system  being  developed  by  the  U.S  Army  Research 
Eaboratory  for  potential  transition  to  CERDEC  under  the  Technical  Program  Annex  number  CE- 
CI- 1999- 10. 

The  concept  of  CyberSleuth  was  originally  developed  by  the  consortium  team  members  of  the 
Advanced  Telecommunications  and  Information  Distribution  Research  Program,  operated  under 
the  Eederated  Eaboratory  Program  from  1996  to  2001. 
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Executive  Summary 


Preliminary  results  of  an  analysis  of  CyberSleuth  traffie  data  are  reported  in  this  doeument. 
CyberSleuth  is  a  prototype  of  an  adaptive  agent-based  vulnerability  system  that  ean  operate  in 
two  modes:  paranoid  mode  and  suspieious  mode.  The  paranoid  mode  enables  eontinuous  and 
random  assessments  of  system  vulnerability  at  target  hosts.  The  suspieious  mode  uses  the 
assessment  results  performed  in  the  paranoid  mode  as  a  basis  for  eoneurrent  and  autonomous 
assessments.  The  operational  eoneept  of  CyberSleuth  was  originally  developed  and  demonstrated 
by  the  eonsortium  team  members  of  the  Advaneed  Teleeommunieations  and  Information 
Distribution  Researeh  Program  (7),  whieh  was  part  of  the  Federated  Laboratory  Program,  1996- 
2001. 

The  traffie  data  were  eaptured  in  an  experiment  eondueted  from  13  to  21  August  2002  in  the 
Taetieal  Internet  (TI)  laboratory  of  the  U.S.  Army  Communications-Eleetronie  Researeh, 
Development,  and  Engineering  Center  (CERDEC),  Eort  Monmouth,  NJ.  Only  the  performanee 
of  CyberSleuth  operating  in  the  paranoid  mode  was  observed  in  the  experiment.  The  suspicious 
mode  of  CyberSleuth  was  inoperable  because  there  was  no  version  of  the  Amzi!  software  that 
could  run  on  Solaris™  x86,  the  operating  system  used  in  the  TI.  The  experiment  employed  a 
computer  to  serve  as  a  mobile  agent  dispatcher  capable  of  sending  assessment  agents  to  two 
other  computers  by  two  radio  links  via  single-channel  ground-air  radio  system  (SINCGARS)  and 
enhanced  position  location  and  reporting  system  (EPLRS)  tactical  radios. 

The  analysis  focuses  on  identifying  the  size  of  the  mobile  agents  used  in  CyberSleuth  and  the 
required  time  for  a  mobile  agent  to  travel  between  two  networked  computers  because  these  two 
properties  affect  the  performance  of  CyberSleuth  and  influence  the  design  of  size-efficient 
mobile  agents  potentially  appropriate  for  the  resource-constrained  environment.  The  effective 
throughputs,  calculated  with  the  measured  sizes  and  transmission  time  for  CyberSleuth  traffic  on 
the  EPERS  radio  link  were  relatively  consistent  at  about  400  bits  per  second  (bps).  On  the  other 
hand,  the  calculated  throughputs  for  CyberSleuth  traffic  on  the  SINCGARS  radio  link  varied 
widely  from  about  200  bps  to  1,578  bps.  Concurrent  communication  sessions  and  frequent 
transmissions  of  short  messages  could  possibly  cause  this  variation. 

The  knowledge  learned  from  the  empirical  results  could  potentially  lead  to  a  better 
understanding  of  the  constrained  behavior  of  a  very  low  bandwidth  communication  environment 
in  which  a  potential  application  of  mobile  agents  would  have  to  operate.  The  limited  bandwidth 
available  for  CyberSleuth  in  the  experiment  was  a  difficult  environment  in  which  the  mobile 
assessment  agents  operated.  The  size  of  the  mobile  assessment  agents  was  a  concern  because  it 
proportionally  affected  the  transmission  time.  Euture  challenges  for  CyberSleuth  developers  will 
include  reducing  the  size  of  the  mobile  agents  without  sacrificing  their  effectiveness  and 
conducting  further  empirical  studies  to  corroborate  several  claimed  features  of  CyberSleuth, 
including  but  not  limited  to  its  adaptivity  and  efficiency. 
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1.  Introduction 


1,1  Background 

CyberSleuth  is  a  prototype  of  an  adaptive  agent-based  vulnerability  system  whose  coneept  was 
originally  developed  and  demonstrated  by  the  eonsortium  team  members  of  the  Advaneed 
Teleeommunications  and  Information  Distribution  Researeh  Program  (7),  whieh  was  part  of  the 
Federated  Laboratory  Program  from  1996  to  2001.  The  CyberSleuth  team  members  consist  of 
the  U.S.  Army  Research  Laboratory  (ARL),  the  City  College  of  the  City  University  of  New 
York,  Telcordia  Technologies,  and  BAE*  SYSTEMS.  CyberSleuth  is  now  further  refined  for 
potential  transition  to  the  Space  and  Terrestrial  Communications  Directorate  of  the  U.S.  Army 
Communications-Electronic  Research,  Development,  and  Engineering  Center,  which  is  also 
known  as  the  U.S.  Army  Communications  and  Electronics  Command,  under  the  Technical 
Program  Annex  (TP A)  number  CE-CI-1999-10. 

CyberSleuth  is  designed  for  potential  operation  in  tactical  digitized  information  networks  that 
have  constrained  computational  resources  and  limited  bandwidth.  These  computing 
environments  can  accommodate  only  incremental  assessments,  which  are  performed  by  the 
mobile  assessment  agents  (MA)  of  CyberSleuth  running  in  either  paranoid  mode  or  suspicious 
mode.  Assessments  are  continuously  and  randomly  performed  in  the  paranoid  mode  and  are 
concurrently  and  autonomously  performed  in  the  suspicious  mode.  The  MA  technology  is  a 
relatively  novel  network-computing  paradigm  with  many  features  that  have  been  claimed  to  be 
suitable  for  low  bandwidth  networks  (2,  5,  4).  Five  significant  functional  components  of 
CyberSleuth  are  depicted  in  figure  1 . 


Figure  1.  Functional  architecture  (7). 


British  Aerospace 
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The  discovery  process  (DP)  component,  situated  on  the  upper  right  comer,  explores  the 
underlying  network  to  find  potential  computing  targets  that  are  capable  of  hosting  the  execution 
of  the  mobile  assessment  agents  of  CyberSleuth.  The  DP  also  classifies  the  assessment  targets 
on  the  basis  of  their  hardware  architecture  and  operating  systems,  thereby  automatically 
obtaining  topographic  information  of  the  network  for  subsequent  use  in  assessment  processes. 

For  this  reason,  the  DP  mns  at  the  beginning  of  the  execution  of  CyberSleuth. 

The  two  components  on  the  left,  the  paranoid  dispatcher  and  the  agent  generator,  function  in 
tandem  to  perform  assessments  in  the  paranoid  mode,  which  operates  on  the  assumption  that  a 
known  vulnerability  exists  somewhere  in  the  network.  The  agent  generator  dynamically  and 
adaptively  creates  assessment  agents  suitable  for  target  hosts.  The  paranoid  dispatcher  launches 
mobile  assessment  agents  to  target  hosts  and  receives  them  as  they  return  from  having  completed 
an  assessment  at  a  remote  host. 

In  the  center  and  on  the  lower  right  corner  of  figure  1  are  the  suspicious  correlator  and  the 
suspicious  dispatcher  that  also  operate  in  tandem  to  direct  assessments  in  the  suspicious  mode, 
which  runs  on  a  clear  evidence  that  a  vulnerability  exists  in  a  specific  host.  The  suspicious 
correlator  analyzes  the  received  assessment  results  and  decides  whether  the  suspicious  dispatcher 
should  dispatch  a  mobile  agent  equipped  with  a  set  of  comprehensive  and  relevant  assessment 
techniques  for  a  particular  type  of  vulnerability. 

Enabling  technologies  used  in  CyberSleuth  consist  of  Java^  technologies  and  a  custom  Amzi!^ 
inference  engine  software.  Java  technologies  include  a  mobile-agent  execution  environment 
called  Aglets^  and  a  JavaBeans"^  component  architecture.  All  mobile  assessment  agents  are  built 
with  Aglets  technology,  and  they  are  designed  to  carry  various  JavaBeans  components  for 
execution  at  a  target  host.  Each  JavaBeans  component  implements  a  mechanism  for  assessing  a 
specific  vulnerability.  The  Amzi!  inference  engine  is  used  to  develop  the  suspicious  correlator 
capable  of  analyzing  and  evaluating  assessment  results  to  determine  their  significance  and 
implication.  Complete  functionality  of  CyberSleuth  therefore  theoretically  could  be 
demonstrated  on  any  computing  platform  that  runs  a  suitable  Java  virtual  machine  and  an 
appropriate  Amzi!  inference  engine. 

1,2  Scope  and  Purposes 

This  document  reports  preliminary  results  of  an  analysis  of  CyberSleuth  traffic  data  that  were 
captured  in  an  experiment  conducted  as  part  of  the  Tactical  Command  and  Control  (C2)  Protect 
Advanced  Technological  Demonstration  (ATD)  program  in  a  laboratory  environment  of  a 
tactical  digitized  communications  and  information  network,  the  Tactical  Internet  (TI)  laboratory 
of  CERDEC.  The  analysis  neither  evaluates  the  overall  performance  of  CyberSleuth  nor 
determines  its  usefulness  or  appropriateness  in  the  TI  environment. 

The  analysis  focuses  on  identifying  the  size  of  the  mobile  agents  used  in  CyberSleuth  and  the 
required  time  for  a  mobile  agent  to  travel  between  two  networked  computers  because  these  two 
properties  affect  the  performance  of  CyberSleuth  and  influence  the  design  of  size-efficient 


'the  source  for  Java  technology,  URL:  http://java.sun.com. 

2 

Prolog  software  development  environment  and  inference  engine,  URL:  http://www.amzi.com/. 

3 

Aglets  software  development  kit,  URL:  http://aglets.sourceforge.net/. 

^The  JavaBeans  Component  Architecture,  URL:  http://java.sun.com/products/javabeans/. 
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mobile  agents  potentially  appropriate  for  a  resource-constrained  environment,  such  as  the  TI 
which  is  being  used  by  the  4th  Infantry  Division,  the  first  digital  force  of  the  U.S.  Army.  TI 
provides  a  communications  link  from  the  foxhole  to  the  Pentagon;  it  is  a  hierarchical  network  of 
digital  computers  that  use  various  tactical  radios  as  a  means  for  transporting  digital  information 
over  the  air  medium  at  various  bandwidths.  Low  bandwidths  are  available  at  the  low-level 
echelons,  and  higher  bandwidths  are  available  at  higher  echelons. 

The  intended  audience  of  this  report  includes  technical  personnel  and  management  involved  in 
the  design  and  development  of  network-centric  applications  for  TI. 

The  next  section  describes  the  TI  environment  and  the  testing  method  that  was  used  in  the 
experiment.  The  Results  section  documents  the  results  obtained  in  the  experiment.  The 
Discussion  section  discusses  the  results  reported  in  the  previous  section.  The  Conclusions  and 
Recommendations  section  provides  a  summary  of  substantiated  findings,  together  with  their 
implication  for  the  development  of  MA  applications  and  a  list  of  recommendations  for 
implementation  and  future  research  opportunities.  Appendix  A  provides  a  list  of  acronyms  that 
were  used  in  this  report.  Appendix  B  includes  the  Python  program  that  was  used  to  parse  the  log 
data.  Appendix  C  gives  a  sample  of  the  log  data. 


2.  Method 


The  experiment  was  conducted  in  the  TI  laboratory  of  CERDEC  from  13  to  21  August  2002. 
Each  collaborating  host  was  preconfigured  with  the  Eorce  XXI  Battle  Command  Brigade  and 
Below  (EBCB2)  software^  running  in  a  homogeneous  environment  of  Sun  Solaris™  x86 
operating  systems.  The  EBCB2,  working  together  with  tactical  radios,  provides  two-dimensional 
graphical  situation  awareness  (SA)  and  digital  C2  services  to  the  land  warrior.  The  experiment 
employs  three  computers  in  the  TI  laboratory,  as  depicted  in  figure  2. 


Company  Commander 
(CDR-M1-1BN66AR) 


Platoon  Leader 
(PL-1-A-1BN66AR 


o 


o  o 


o 


O  O  fiO  Wingman 

(WGM1-1-A-1BN66AR) 


Figure  2.  Experiment  setup. 


^The  FBCB2  Software  Information  Center, 

URL:  https://peoc3s-res.monmouth.army.miFQuickPlace/fbcb2_software/main.nsf 
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Each  computer  was  then  additionally  loaded  with  supporting  software  that  CyberSleuth  needed 
to  funetion  properly:  an  appropriate  Java  virtual  maehine  and  an  Aglet  exeeution  environment 
suitable  for  dispatehing  and  running  mobile  assessment  agents.  Beeause  of  limited  network 
bandwidth  availability,  the  size  of  eaeh  agent  was  eonfigured  to  earry  two  assessment 
mechanisms  capable  of  ehecking  two  known  vulnerabilities  at  eaeh  target  host  although 
theoretieally,  an  assessment  agent  eould  earry  as  many  meehanisms  as  the  system  resouree  eould 
support.  The  CyberSleuth  software  was  loaded  on  only  one  eomputer,  the  one  that  would  belong 
to  a  platoon  leader  in  reality.  From  this  eomputer,  CyberSleuth  dispatehed  assessment  agents  to 
two  other  computers:  the  Wingman  and  the  eompany  eommander  eomputers.  A  pair  of  two 
enhanced  position  loeation  and  reporting  system  (EPLRS)^  radios  served  as  the  digital  data 
eommunieation  link  between  the  platoon  leader  and  the  eompany  eommander.  A  pair  of  single- 
ehannel  ground-to-air  radio  system  (SINCGARS)^  provided  the  digital  and  voiee  eommunieation 
between  the  platoon  leader  and  the  Wingman;  voiee  communications  would  take  preeedenee 
over  digital  eommunieation  (5)  but  were  not  used  during  the  experiment  to  provide  CyberSleuth 
an  uninterrupted  operation. 

Only  the  performanee  of  CyberSleuth  operating  in  the  paranoid  mode  was  shown  in  the  TI 
laboratory;  the  discovery  proeess  and  the  ability  of  CyberSleuth  to  operate  in  the  suspieious 
mode  were  not  demonstrable  beeause  of  a  eoneern  about  the  limited  network  bandwidth 
availability  and  the  laek  of  a  version  of  the  Amzi!  software  that  could  run  on  Solaris'’’’^  x86 
operating  systems.  The  discovery  proeess  was  disabled  beeause  of  a  eoneern  about  its  exeeution 
time,  whieh  would  have  prolonged  the  experiment  beeause  it  would  have  had  to  eontaet  every 
networked  eomputer  with  its  name  listed  in  the  host  table  and  to  determine  the  availability  of  a 
suitable  mobile-agent  exeeution  environment  in  whieh  assessment  agents  would  run.  Therefore, 
the  topographie  information  of  the  three  partieipating  networked  computers  was  manually 
entered  in  the  host  table.  The  suspieious  mode  of  CyberSleuth  was  entirely  inaetive  during  the 
experiment  beeause  the  Amzi!  inferenee  engine  was  unavailable. 

The  traffie  data  generated  by  CyberSleuth  operating  in  the  paranoid  mode  were  eaptured  and 
stored  in  two  text  files.  Information  obtained  from  the  traffic  data  files  ineludes  the  names  of  the 
initiator  and  the  responder,  the  starting  and  ending  times  of  each  communication  session,  and 
number  of  transmitted  data  bytes.  Analyzing  these  data  files  requires  the  development  of  a 
eomputer  program  that  ean  parse,  deeipher,  reorganize,  and  tabulate  the  dense  and  eryptie 
material  into  a  format  that  eould  be  imported  into  the  Mierosoft  Exeel™  program  for  subsequent 
computation  and  plotting.  The  eomputer  program  was  written  in  the  Python  programming 
language  and  is  included  in  appendix  B. 


3.  Results 


Effeetive  throughput,  the  number  of  data  bits  transmitted  per  seeond,  and  the  sizes  of  assessment 
agents  were  ealeulated  with  the  information  eontained  in  the  two  data  files — the  files  TCP226a 
and  CS63aTCP.  The  file  TCP226a  has  approximately  72  minutes  worth  of  traffie  data  traveled 


^  Description  of  EPLRS,  URL:  http://www.monmouth.army.mil/  peoc3s/trcs/EPLRSDescr.htm. 
^  Description  of  SINCGARS,  http:/www.monmouth. army  .mil/  peoc3s/trcs/GarsDesc.htm. 
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between  the  platoon  leader  (PL)  eomputer  and  the  Wingman  (WGM)  over  the  SINCGARS  link 
and  between  the  PL  and  the  commander  (CDR)  computer  over  the  EPLRS  link.  The  file 
CS63aTCP  has  more  than  1,000  minutes  worth  of  traffic  data  traveled  only  between  the  PL  and 
the  WGM  computers  over  the  SINCGARS  radio  link. 

Information  obtained  and  derived  from  the  file  TCP226a  is  displayed  in  figures  3  through  7, 
showing  the  sizes  and  the  calculated  throughput  of  data  chunks  traveled  between  the  PL  and  the 
CDR  computers  and  between  the  PL  and  the  WGM  computers.  Similarly,  information  obtained 
and  derived  from  the  fide  CS63aTCP  is  depicted  in  figures  8  through  12,  showing  the  sizes  and 
the  calculated  throughput  of  data  chunks  traveled  between  the  PL  and  the  WGM  computers. 

A  consistent  pattern  of  mobile-agent  traffic  data  traveled  between  the  PL  and  the  CDR 
computers  captured  in  the  file  TCP226a  is  plotted  in  figure  3,  showing  the  starting  time  of  each 
communication  session.  The  total  size  of  the  mobile  assessment  agents  dispatched  from  the  PL 
computer  was  slightly  less  than  that  of  the  returning  agents.  During  this  72-minute  run,  the  total 
size  of  the  dispatched  agents  was  60,939  bytes  and  that  of  the  returning  agents  was  65,672  bytes. 
The  increased  size  of  the  returning  agents  was  attributable  to  the  additional  storage  that  was 
allocated  by  the  system  to  accommodate  the  assessment  results.  The  figure  also  shows  that  for 
each  communication  session,  the  receiver  steadily  sent  to  the  initiator  93  bytes  of  data 
(iPL<=rCDR  and  iCDR<=rPL). 
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Figure  3.  Sizes  of  data  ehunks  transmitted  on  the  EPLRS  link. 

A  mixed  traffic  pattern  of  mobile-agent  traffic  data  traveled  between  the  PL  and  the  WGM 
computers  captured  in  the  file  TCP226a  is  plotted  in  figure  4.  For  the  size  of  data  chunks  that  are 
larger  than  10,000  bytes,  a  consistent  pattern  of  93-byte  data  returned  to  the  initiator  by  the 
receiver  is  observed;  furthermore,  figure  4  reveals  that  the  WGM  computer  initiated  several 
requests  for  transmissions  of  many  smaller  chunks  of  data  from  the  PL  computer  between  the 
transmissions  of  the  large  chunks  of  data.  This  phenomenon  appears  to  be  that  the  mobile-agent 
execution  environment  at  the  target  host  did  not  have  the  required  Java  classes  for  a  complete 
execution  of  the  dispatched  mobile  agent;  therefore,  it  had  to  connect  with  the  PL  dispatcher  to 
request  additional  Java  classes.  This  process  occurred  automatically  without  any  user 
intervention. 
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Figure  4.  Sizes  of  data  ehunks  transmitted  on  the  SDSfCGARS  link. 

Again,  the  total  size  of  the  mobile  assessment  agents  dispatched  from  the  PL  computer  was  less 
than  that  of  the  returning  agents.  During  this  72-minute  run,  the  total  number  of  bytes  of  the  data 
traveling  from  the  dispatcher  PL  to  the  target  computer  WGM  was  243,043  bytes  and  that  of  the 
data  traveling  from  the  target  computer  WGM  to  the  dispatcher  was  280,483  bytes. 

The  throughput  was  calculated  and  depicted  in  figures  5  and  6.  The  throughput  for  the 
assessment  agents  traveling  between  the  PL  computer  and  the  CDR  computer  over  a  pair  of 
EPLRS  radios  were  consistently  slightly  below  500  bits  per  second  (bps),  and  the  sizes  of  these 
mobile  agents  were  clustered  around  10,000  bytes.  On  the  other  hand,  the  throughput  for  the 
assessment  agents  traveling  between  the  PL  computer  and  the  WGM  computer  over  the 
SINCGARS  radio  link  varied  widely,  especially  for  the  agents  that  traveled  from  the  WGM 
computer  to  the  PL  computer  (iWGM=>rPL). 
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Figure  5.  Throughput  for  transmitted  data  versus  time. 
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Figure  6.  Throughput  versus  sizes  of  data  chunks. 


During  the  first  17  minutes,  concurrent  and  overlapped  communication  sessions  originated  from 
the  initiators  to  the  receivers  and  were  extracted  from  the  file  TCP226a;  they  are  shown  in  figure 
7.  For  example,  while  an  assessment  agent  was  traveling  from  the  PL  computer  to  the  WGM 
computer  [iPL=>rWGM  (1)],  the  WGM  computer  completed  five  transmissions  of  short 
communication  messages  with  the  PL  computer  [iWGM=>rPL  (1-5)]  and  started  an  overlapped 
communication  session  [iWGM=>rPL  (6)].  Meanwhile,  having  completed  a  session  with  the 
WGM  computer,  the  PL  computer  began  transmitting  data  to  the  CDR  computer  [iPL=>rCDR], 
and  when  this  session  ended,  the  PL  computer  received  transmitted  data  from  the  CDR  computer 
[iCDR=>rPL]  and  simultaneously  sent  data  to  the  WGM  computer  [iPL=>rWGM(2)]. 


— iPL=>rWGM{1)  — A— iWGM=>rPL(1)  — iWGM=>rPL  (2)  —I — iWGM=>rPL  (3)  - iWGIVI=>rPL  (4) 


-D— iWGM=>rPL  (5)  — X— iWGM=>rPL  (6)  — o— iPL=>rCDR  iCDR=>rPL  — 0— iPL=>rWGM  (2) 


Figure  7.  A  sample  of  concurrent  transmission. 

Information  obtained  and  derived  from  the  second  file,  CS63aTCP,  is  displayed  in  figures  8 
through  12.  Figure  8  shows  the  sizes  of  data  chunks  traveled  between  the  PL  and  the  WGM 
computers  over  the  SINCGARS  link  over  a  period  of  about  1200  minutes.  The  sizes  of  the  data 
transmitted  (returning  agents)  from  the  WGM  computer  to  the  PL  computer  (iWGM=>rPL)  were 
expectedly  larger  than  those  of  the  data  transmitted  (dispatched  agents)  from  the  PL  computer  to 
the  WGM  computer  (iPL=>rWGM).  Several  small  sizes  of  communication  messages  that 
originated  from  the  WGM  computer  to  the  PL  computer  (iWGM=>rPL)  are  clustered  in  the 
beginning  of  the  plot. 
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Figure  8.  Sizes  of  data  chunks  transmitted  over  the  SINCGARS  link. 

An  expanded  plot  of  figure  8  during  the  first  50  minutes  is  plotted  in  figure  9,  showing  that  the 
WGM  computer  often  initiated  several  short  communication  messages  to  the  PL  computer, 
which  in  turn  responded  with  data  chunks  that  were  larger  than  the  requesting  messages.  This 
phenomenon  appears  to  indicate  that  the  WGM  computer  was  sending  requests  to  the  dispatcher, 
the  PL  computer,  for  additional  Java  code  to  complete  the  execution  of  the  dispatched  agents  at 
their  hosts. 
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Figure  9.  Sizes  of  data  chunks — first  50  minutes. 

The  computed  effective  throughput,  plotted  against  elapsed  time  and  the  sizes  of  the  data  chunks 
are  shown  in  figures  10  and  11.  Figure  10  shows  the  calculated  throughput  versus  the  elapsed 
times.  Most  of  the  throughput  for  the  data  transmitted  from  the  PL  computer  to  the  WGM 
computer  (iPL=>rWGM)  was  between  300  bps  and  about  800  bps,  whereas,  the  throughput  for 
the  data  transmitted  from  the  WGM  computer  to  the  PL  computer  (iWGM=>rPL)  varied  widely 
because  of  several  short  communication  messages  that  originated  from  the  WGM  computer 
(iWGM=>rPL),  as  plotted  in  figure  9. 
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I  ♦  iPL=>rWGM  a  iWGM=>rPL 


Figure  10.  Throughput  versus  time. 

The  throughput  shown  in  figure  1 1  were  calculated  by  dividing  the  total  number  of  transmitting 
and  responding  data  bytes  by  their  transmission  times.  Once  again,  the  throughput  for  the  data 
traveling  from  the  WGM  computer  to  the  PL  computer  over  the  SINCGARS  link  varied  widely; 
however,  the  throughput  generally  increased  proportionally  to  the  size  of  the  data  transmitted. 
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Figure  1 1 .  Throughputs  versus  sizes  of  data  ehunks. 

Information  about  the  concurrent  and  overlapped  transmission  of  CyberSleuth  traffic  was  also 
available  in  the  log  file  CS63aTCP.  The  activities  that  occurred  during  the  first  8  minutes  of  run 
are  depicted  in  figure  12.  For  example,  an  assessment  agent  required  4.29  minutes  to  travel  from 
the  PL  computer  to  the  WGM  computer  (iPL=>rWGM).  During  this  time,  the  WGM  computer 
sent  12  short  communication  transactions  with  the  PL  computer  (iWGM=>rPL)  and  initiated  an 
overlapped  communication  session  that  lasted  for  3.19  minutes  (from  4.20  to  7.39  minutes). 
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-♦-iPL=>rWGM  (1) 
iWGM=>rPL(4) 
-^iWGM=>rPL(8) 
-^iWGM=>rPL(12) 


-6-iWGM=>rPL  (1) 
-I— iWGM=>rPL  (5) 
^:^iWGM=>rPL  (9) 
<3— iWGM=>rPL  (13) 


-^iWGM=>rPL(2) 

- iWGM=>rPL  (6) 

-^iWGM=>rPL(10) 


-iWGM=>rPL  (3) 
-iWGM=>rPL  (7) 
-iWGM=>rPL  (11) 


Figure  12.  Sample  of  concurrent  and  overlapped  transmissions. 


4.  Discussion 


Limited  communication  bandwidth  available  on  the  TI  environment  was  a  challenge  for 
CyberSleuth  to  operate.  A  dispatched  mobile  assessment  agent  requires  nearly  5  minutes  to 
travel  between  two  hosts,  taking  approximately  10  minutes  for  a  round  trip,  assuming  that  the 
assessment  time  at  the  host  is  negligible,  compared  to  the  travel  time.  To  minimize  the  required 
travel  time  for  mobile  assessment  agents,  each  dispatched  agent  used  in  the  demonstration  was 
configured  to  carry  only  two  assessment  mechanisms  capable  of  inspecting  and  evaluating  two 
known  system-configuration  weaknesses  and  errors.  CyberSleuth  would  require  approximately 
24  hours  to  examine  300  specific  known  vulnerabilities  that  could  exist  in  a  single  target. 

The  calculated  throughput  for  CyberSleuth  traffic  on  the  EPLRS  radio  link  between  the  PL 
computer  and  the  CDR  computer  were  relatively  consistent  at  about  400  bps.  On  the  other  hand, 
the  calculated  throughput  for  CyberSleuth  traffic  on  the  SINCGARS  radio  link  varied  widely 
from  about  200  bps  to  1,578  bps.  This  variation  could  be  caused  by  concurrent  communication 
sessions  and  frequent  transmissions  of  short  messages,  which  required  the  same  overhead 
communication  data  bytes  for  establishing  and  disconnecting  a  communication  session,  and  thus 
reduced  the  overall  effective  throughput. 

These  results  were  obtained  from  a  very  simple  network  configuration  involving  only  three 
computers  that  used  two  pairs  of  different  tactical  radio  links.  Had  the  PL  computer  been 
connected  to  four  WGM  computers  connected  by  SINCGARS  radio  links  operating  at  the  same 
frequency,  then  the  throughput  would  have  been  substantially  reduced  because  of  network 
contention  and  congestion.  Had  CyberSleuth  been  deployed  at  the  CDR  computer,  then  the 
throughputs  would  have  further  deteriorated  because  every  dispatched  agent  to  a  WGM 
computer  would  have  had  to  travel  through  two  different  radio  links,  taking  two  “hops”  to  arrive 
and  return. 
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5.  Conclusions  and  Recommendations 


Preliminary  results  of  an  analysis  of  the  data  traffic  have  been  presented  and  discussed.  The 
empirical  data,  created  by  the  mobile  assessment  agents  of  CyberSleuth  operating  in  a  TI 
environment,  form  the  basis  for  this  analysis.  The  knowledge  learned  from  the  analyzed  results 
could  potentially  lead  to  a  better  understanding  of  the  constrained  behavior  of  a  very  low 
bandwidth  communication  environment  in  which  a  potential  application  of  mobile  agents  would 
have  to  operate. 

The  limited  bandwidth  available  for  CyberSleuth  in  the  experiment  was  a  difficult  environment 
in  which  the  mobile  assessment  agents  operated.  The  size  of  the  mobile  assessment  agents  was  a 
concern  because  it  proportionally  affected  the  transmission  time.  Future  challenges  for 
CyberSleuth  developers  will  include  reducing  the  size  of  the  mobile  agents  without  sacrificing 
their  effectiveness  and  conducting  further  empirical  studies  to  corroborate  several  claimed 
features  of  CyberSleuth,  including  but  not  limited  to  its  adaptivity  and  efficiency. 

The  implementation  of  each  assessment  mechanism  as  a  JavaBean™  component  provides 
modular  software  components  and  a  random  combination  of  which  would  enable  an  assessment 
agent  to  assess  different  vulnerabilities  each  time  it  visits  a  target  host.  Combining  several 
components  would  not  only  increase  the  effectiveness  of  the  dispatched  assessment  agents  but 
would  also  enlarge  their  sizes,  thereby  raising  their  round  trip  travel  time.  To  increase  the 
efficiency  without  sacrificing  the  effectiveness  of  the  mobile  assessment  agent  per  trip, 
implementing  more  than  one  assessment  mechanism  in  a  JavaBean™  component  is 
recommended. 
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Appendix  A.  Acronyms 


ARL  U.S.  Army  Research  Laboratory 

ATD  Advanced  Technology  Demonstration 

C2  command  and  control 

CDR  (company)  commander 

CECOM  The  U.S.  Army  Communications  and  Electronics  Command 

CERDEC  The  U.S.  Army  Communications-Electronic  Research,  Development,  & 
Engineering 

DP  discovery  process 

EPERS  enhanced  position  location  and  reporting  system 

EBCB2  Eorce  XXI  Battle  Command  Brigade  and  Below 

MA  mobile  agent 

PE  platoon  leader 

SA  situation  awareness 

SINCGARS  single-channel  ground-to-air  radio  system 

TI  Tactical  Internet 


TPA  technical  program  annex 

WGM  Wingman 
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Intentionally  Left  Blank. 
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Appendix  B.  Computer  Code  Used  in  the  Analysis 


Analyzing  the  two  data  files  eaptured  in  the  TI  Lab  of  CECOM. 
'TCP226a.txf 
'CS63aTCP.txf 

—  bnguyen@arl,  Spring  2003. 


Usage;  import  analyze 
or 

simply  double  eliek  this  file,  the  file  "analyze.py" 


import  string,  os 
class  TCPIPinfo; 

def _ init _ (self,  fn=None): 

print  'TCPIPinfo: :_init(fn)_',  fn 

self.ioprefix  =  fn[;fn.find('.txf)] 

self.iofileext  =  fn[fn.find('.txf);] 

self.iofilename  =  self.ioprefix  +  '-info'  +  self.iofile_ext 

self.ioplotfile  =  self.ioprefix+'-plotduration'+self  iofile_ext 

self.outfile  =  open(self.iofilename,  'w') 

selfplotfde  =  open(self  ioplotfde,  'w') 

self.timeO  =  0  #  eonstant  throughout  the  life  of  an  objeet. 

selfresetO 


def  reset(self): 
selfsouree  = 
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self.sink  = " 
self.stime  = " 
self.etime  = " 
self.xtime  =  0 
self.size  =  0 
self.r2isize  =  0 
self.throughput=0 

def  set_source(self,  ip): 

"""set  the  source  to  be  the  name  of  the  initiator.""" 
self  source  =  self  ip2name(ip) 

def  set_sink(self,  ip): 

"""set  the  destination  to  be  the  name  of  the  responder.""" 
self.sink  =  self.ip2name(ip) 

def  set_start_time(self,  t): 

"""  set  the  start  time  of  each  TCP/IP  session 

(time(i)-timeO)=  elapsed  time  from  the  beginning  of  a  run. 

ttIMI 

self.stime  =  t 

if  self.timeO  <=  0  :  #  the  beginning  of  a  run. 
self.timeO  =  self.to_msec(t) 

def  set_end_time(self,  t): 

"""set  etime  =  end  time  of  a  TCP/IP  session""" 
self.etime  =  t 

def  set_xtime(self): 

"""set  the  transmission  time  (duration)  of  a  TCP/IP  session""" 
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self.xtime  =  self.to_msec(self.etime)-self.to_msec(self.stime) 

# 

#  session  went  over  midnight 

#  00:00:00.000  <=  t  <=  23:59:59.999 

#  24:00:00.000  =  23:59:59.999  +  1/1000 
if  self.xtime  <  0  : 

self.xtime  =  (1000*3600*24)  -  \ 

self  to_msec(self  stime)  +  self.to_msee(self.etime) 

def  add_size(self,  s): 

"""Tabulating  the  number  of  bytes  transferred  from  the  initiator  to  the  responder""" 
self.size  =  self  size  +  s 

def  add_r2isize(self,  s): 

"""tabulating  the  number  of  bytes  that  the  responder  sent  to  the  initiator""" 
self.r2isize  =  self.r2isize  +  s 

def  cal_throughput(self):  #  bits/sec  (8  bits=byte,  1000  mseo=seo) 

"""  calculate  the  throughput  for  the  current  session""" 
self.throughput  =  8*1000*float(self  size)/float(self.xtime) 

def  end_processing(self): 
selfoutfde.closeO 
selfplotfde.closeO 
self.separate_traffic() 

print  'End  of  Processing  -  Results  are  saved  in  the  file:  <%s>' 

%  self.iofilename 

def  separate_traffic(self): 

execfilename  =  self  iopre  fix  +  '-exe' 
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of  =  open(exec_file_name,  'w') 

of  write('grep  CDR  %s  >  %s-CDR.txt\n'  %  (self  iofilename, 
selfioprefix)) 

ofwriteCgrep  WGM  %s  >  %s-WGM.txt\n'  %  (self  iofilename, 
selfioprefix)) 

ofwriteCgrep  ^WGM  %s-WGM.txt  >  %s-WGM2PL.txt\n'  % 
(selfioprefix,  selfioprefix)) 

ofwriteCgrep  -v  ^WGM  %s-WGM.txt  >  %s-PL2WGM.txt\n'  % 
(selfioprefix,  selfioprefix)) 

ofwriteCgrep  PL"  %s-CDR.txt  >  %s-PL2CDR.txt\n'  % 
(selfioprefix,  selfioprefix)) 

ofwriteCgrep  -v  PL"  %s-CDR.txt  >  %s-CDR2PL.txt\n'  % 
(selfioprefix,  selfioprefix)) 

ofwriteCcat  %s-*2*.txt  »  %s-traffic.txt\n'  %  (selfioprefix, 
selfioprefix)) 

ofeloseO 

print  'separate  trafficO  -  DONE!' 

print  'chmod():',  os.systemCehmod  +w  %s'  %  exec_file_name) 

print  'exee() os.system(exee_file_name) 

def  output(self): 

if  len(self  souree)  <=  0  : 

print  'TCPIPinfo::output()  -  nothing  to  print.' 

return 

if  self.size  <=  0  and  self  r2isize  <=  0  : 

print  '%16s,  %16s,  %s,  %s  ;  No  data  tranferred  -->  no 
output.'  %  (self  souree,  self  sink,  self  stime, 
self  etime) 

return 
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elapsedtime  =  (self.to_msec(self.stime)-self.time0)/60000.0 
if  elapsed  time  <  0  ; 

elapsedtime  =  elapsedtime  +  24*60 

self.outfde.write('%16s,  %16s,  %s,  %s,  %d,  %d,  %5.2f,  %8d, 
%5.2f,  %6d,  %6d,  %  10.3 An'  %  \ 

(self.source,  self.sink,  self.stime,  self.etime,  \ 
self.to_msee(self.stime),  self.to_msec(self.etime),  \ 
elapsed_time,  self.xtime,  self.xtime/60000.0,  \ 

self,  size,  self  r2isize,  self  throughput)) 

Prepare  data  for  plotting  the  duration  using  MS  Excel. 

Example:  o - o  | - 1  x - x 

src,  dst,  t(s)-t0,  src2dst(bytes) 
src,  dst,  t(e)-t0,  src2dst(bytes) 

ts  =  (self.  to_msec(self.  stime)-self  time0)/60000.0 
te  =  (self.  to_msec(self.  etime)-self.  time0)/60000.0 
if  ts  <  0  :  ts  =  ts  +  24*60 
if  te  <  0  :  te  =  te  +  24*60 

self.plotfde.write('%16s,  %16s,  %5.2f,  %d\n'  %  (self  source, 
self  sink,  ts,  self  size)) 

self.plotfde.write('%16s,  %16s,  %5.2f,  %d\n'  %  (self  source, 
self  sink,  te,  self  size)) 

self.plotfde.write('%16s,  %16s,  %5.2f,  %d\n'  %  (self  source, 
self  sink,  ts,  self  r2isize)) 

self.plotfde.write('%16s,  %16s,  %5.2f,  %d\n'  %  (self  source, 
self  sink,  te,  self  r2isize)) 
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def  ip2name(self,  ip); 


converts  the  given  IP  address  to  a  host/unit  name, 
xxx.xxx.xxx.xxx  — >  CDR-M1-1BN66AR 

yyy-yyy-yyy-yyy  — ^  pl-i-a-ibn66Ar 

zzz.zzz.zzz.zzz  — >  WGM1-1-A-1BN66AR 


if  ip  ==  'xxx.xxx.xxx.xxx'  : 

return  'CDR-M1-1BN66AR' 
elif  ip  ==  ‘yyy.yyy.yyy.yyy’ : 

return  'PL-1-A-1BN66AR' 
elif  ip  ==  'zzz.zzz.zzz.zzz’: 

return  'WGM1-1-A-1BN66AR' 
else  : 

return  ip  #nothing  was  eonverted. 

#return  '  *  *  *  error*  *  * ' 

def  to_msec(self,  t): 

Convert  time  XX;XX;XX.mmm  to  milliseeonds. 
00:00:00.000  <=  t  <=  23:59:59.999 

i=string.fmd(t, ':') 
hrs  =  long(t[0;i]) 
i+=  1 

j=string.fmd(t, i) 
min  =  long(t[i;j]) 

j+=l 

i=string.fmd(t, j) 
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sec  =  long(t[j;i]) 
i+=  1 

mil  =  long(t[i;]) 

return(mil  +  1000*(sec  +  60*min  +  3600*hrs)) 

###################################################################### 

#  Looking  for  overlapped  TCP/IP  sessions. 

# 

def  print_overlapped_sessions(self): 

FIELD_SEPARATOR=V 

OUT_TXT_FILENAME  =  self  ioprefix  +  '-overlaps'+self.iofileext 

i  =  open(self.iofilename,  'r') 
contents  =  i.readlines() 
i.closeO 

start_times  =  {} 
end_times  =  {} 
count  =  0 

print  'Reading  input  file' 
for  input  line  in  contents  ; 

# 

#  save  the  start  time  and  end  time  in  two  lists 

# 

fields  =  input_line.split(FIEED_SEPARATOR) 
start_times[count]=  selfto_msec(fields(2)) 
end_times  [count]  =  self  to_msec(fields(5)) 
count  =  count  +  1 
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print  'Finished  reading  input  file.' 


print  'Adjust  reeorded  time  ...' 

one  full  day  =  24  *  3600  *  1000  #milliseeonds. 

eount  =  0 

for  i  in  range(l,len(start_times))  : 
if  start_times[i]<  start_times[0]  or  \ 
end_times[i]  <  start_times[0]  : 

start_times[i]  =  start_times[i]  +  one_full_day 
end_times[i]  =  end_times[i]  +  one_full_day 
print  'End  adjusting  times.' 

# 

#  outputing  the  results. 

# 

out  txt  file  =  open(OUT_TXT_FlLENAME,  'w') 

eoneurrentsessions  =  [] 

for  i  in  range(len(start_times))  : 

# 

#  Assume  that  times  are  recorded  in  time-ascending  order 

# 

overlapped_sessions=[] 
for  j  in  range(i+l,  len(start_times)): 
if  start_times[j]  <  end_times[i]; 

#if  another  TCP/IP  session  is  started  while 

#  the  current  one  is  in  progress.  Use  a  list 

#  to  store  the  indices  of  overlapped  sessions 
#occurred  in  the  session  i 
overlapped_sessions.append(j) 

if  j  not  in  eoneurrent  sessions  ; 
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concurrent_sessions.append(j) 

#end  if 

nOverlaps  =  len(overlapped_sessions) 
if  nOverlaps  ==  0  and  i  not  in  concurrent  sessions  : 

#no  interruption 

out_txt_file.write('<%d:— no  overlapped  sessions>'%  i) 
out_txt_file.write('  (%d)%s'  %  (i,  contents[i])) 
elif  nOverlaps  ==  1  ; 

#output  the  indices  of  the  overlapped  sessions... 
out_txt_file.write('<%d;  %d>\n'  %  (i, 
overlapped_sessions[0] ) ) 
out_txt_file.write('  (%d)%s'  %  (i,  contents[i])) 

#output  the  contents 

out  txt  file.writeC  (%d)%s'  %(overlapped_sessions[0],  contents[overlapped_sessions[0]])) 
elif  nOverlaps  >  0  ; 

#output  the  indices  of  the  overlapped  sessions... 

out_txt_file.write('<%d:'  %  i) 

for  j  in  range(nOverlaps-l)  : 

out_txt_file.write('  %d,'  %  overlapped_sessions[j]) 

out_txt_file.write('  %d>\n'  %  overlapped_sessions[j+l] ) 

out_txt_file.write('  (%d)%s'  %  (i,  contents[i])) 

#output  the  contents 

for  j  in  range(nOverlaps)  : 

out_txt_file.write('  (%d)%s'  % 
(overlapped_sessions[j],contents[overlapped_sessions[j]])) 

out_txt_file.close() 

print  'print_overlapped_sessions()  :  <%s>'  %  OUT_TXT_FILENAME 
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###################################################################### 


class  ParseTCPIP; 

# 

#  Parsing  the  TCP/IP  data  captured  in  the  TI  lab  in  August,  2002. 

# 

def  ffxtract(self,  str,  s,  e): 

"""  extract  a  substring  from  str,  given  delimiters  s  &  e  """ 
i  =  str.lind(s)  #looking  for  's'  from  the  left, 
j  =  str.lrnd(e,  i+1)  #looking  for  'e'  from  s+1. 
return  str[i+l;j] 

def  frfxtract(self,  str,  s,  e): 

"""  extract  a  substring  from  str,  given  delimiters  s  &  e  """ 
i  =  str.lind(s)  #looking  for  's'  from  the  left, 
j  =  str.rfind(e)  #looking  for  'e'  from  the  right, 
return  str[i+l;j] 

def  analyze(self,  fn); 
transmitter  =  'Initiator:' 
receiver  =  'Responder:' 
label  =  'Time' 

underline  =  ' — ' 
trans2rec  =  'I  ->  R' 
rec2trans  =  'I  <-  R' 
bytes  =  'bytes' 

sessionstart  =  0 

start_time_next  =  0  #next  input  line  contains  starting  time, 
previousline  =  " 
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result  =  TCPIPinfo(fn) 

#read  the  input  data  fde. 
infde  =  open(fn); 
while  1  : 

inputline  =  inlile.readline() 
if  len(input_line)  ==  0  ; 

break 

inputline  =  string. strip(input_line) 

if  input_line.lind(transmitter)  >=  0  ; 

session  start  =  1  #extraeting  the  ip  addr  of  the  source 
result.set_source(self  fr6ctract(input_line,' 

continue 

if  session_start  <=  0  : 

continue  #searching  for  the  'transmitter'  keyword 
if  input_line.iind(receiver)  >=  0  : 

#extracting  the  ip  address  of  the  receiver 
result.set_sink(self.frfxtract(input_line,' 
elif  input_line.iind(label)  >=  0  ; 

continue  #ignore  label 
elif  input_line.lind(underline)  >=  0  : 

start_time_next  =  1  #next  input  line  will  be  data, 
continue 

elif  len(input_line)  >  1 ; 

if  start_time_next  >=  1  :  #  1st  transmission. 

result.set_start_time(self.ffxtract(input_line,' ',' ')) 
start_time_next  =  0  #ignore  other  time  data 
else  :  #  Not  1st  transmission,  which  is  usually  a  SYNC  flag, 
if  input_line.lind(trans2rec)  >=  1  and  \ 

input_line.find(bytes)  >=  1  :  #extractN  bytes 
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size  =  string. atoi(self.frfxtract(input_line,'(V  ')) 
result.add_size(size) 
elif  input_line.find(rec2trans)  >=  1  and  \ 
input_line.find(bytes)  >=  1  :  #extractN  bytes 
size  =  string. atoi(self.frtxtraet(input_line,'(V  ')) 
result.add_r2isize(size) 

previous_line  =  input_line  #save  the  eurrent  input  line 
else  : 

session_start  =  0  #end  of  session,  save  the  end  time 
result.set_end_time(self  ffxtract(previous_line,' ')) 
result.set_xtime()  #  caleulate  transmission  time 
result.eal_throughput()  #  number  of  bits  per  seeond 
result.outputO 
result.resetO 

infde.eloseO 

result.end_proeessing() 

result.print_overlapped_sessions() 

mmmmmmmmmmmmmmmmmmmmmmmmmmmm# 

itmt 

Usage:  import  analyze 
or 

simply  double  click  this  file,  the  file  "analyze.py" 

ParseTCPIP().analyze('TCP226a.txf) 

ParseTCPIP().analyze('CS63aTCP.txf) 
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Appendix  C:  A  Sample  of  Traffic  Data 

Initiator:  xxx.xxx.xxx.xxx: —  (port  IIII) 

Responder:  yyy.yyy.yyy.yyy: —  (port  JJJJ) 

Time  Tap  Dir  Msg  Dir  Seq  Num  Aek  Num  Flags 


226  17:53:10.966  T  I->R  S:9EA3A6C3  A:00000000  Syn 

226  17:53:53.463  T  I->R  S:9EA3A6C3  A:00000000  Syn 

226  17:53:55.094  R  I  <- R  S:381A0272  A:9EA3A6C4  Syn  Aek 

226  17:53:55.116  T  I->R  S:9EA3A6C4  A:381A0273  Aek 

226  17:53:55.128  T  I->R  S:9EA3A6C4  A:381A0273  Aek  Psh  (536  bytes) 

226  17:54:40.109  T  I->R  S:9EA3A6C4  A:381A0273  Aek  (536  bytes) 

226  17:54:47.024  R  I  <-  R  S:381A0273  A:9EA3A6C4  Aek 

226  17:54:47.040  R  I  <- R  S:381A0273  A:9EA3A8DC  Aek 

226  17:54:47.056  R  I  <- R  S:381A0273  A:9EA3A8DC  Aek 

226  17:54:47.058  T  I->R  S:9EA3A8DC  A:381A0273  Aek  (536  bytes) 

226  17:54:47.210  T  I->R  S:9EA3AAF4  A:381A0273  Aek  Psb  (536  bytes) 

226  17:54:55.670  R  I  <-  R  S:381A0273  A:9EA3AAF4  Aek 

226  17:54:55.686  R  I  <- R  S:381A0273  A:9EA3AD0C  Aek 

226  17:54:55.687  T  I->R  S:9EA3AD0C  A:381A0273  Aek  (145  bytes) 

226  17:54:55.737  T  I->R  S:9EA3AD9D  A:381A0273  Aek  (536  bytes) 

226  17:54:55.889  T  I->R  S:9EA3AFB5  A:381A0273  Aek  (536  bytes) 

226  17:54:56.041  T  I->R  S:9EA3B1CD  A:381A0273  Aek  (536  bytes) 

226  17:55:06.222  R  I  <- R  S:381A0273  A:9EA3AD0C  Aek 

226  17:55:23.724  T  I->R  S:9EA3AD0C  A:381A0273  Aek  (536  bytes) 

226  17:55:29.483  R  I  <- R  S:381A0273  A:9EA3AF24  Aek 

226  17:55:29.504  T  I->R  S:9EA3AF24  A:381A0273  Aek  (536  bytes) 

226  17:55:29.657  T  I->R  S:9EA3B13C  A:381A0273  Aek  (536  bytes) 

226  17:55:39.401  R  I  <- R  S:381A0273  A:9EA3B13C  Aek 
226  17:55:39.421  R  I  <- R  S:381A0273  A:9EA3B3E5  Aek 
226  17:55:39.422  T  I->R  S:9EA3B354  A:381A0273  Aek  (145  bytes) 
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226  17:55:39.473  T  I->R  S:9EA3B3E5  A:381A0273  Ack  (536  bytes) 

226  17:55:39.626  T  I->R  S:9EA3B5FD  A:381A0273  Ack  (536  bytes) 

226  17:55:39.779  T  I->R  S:9EA3B815  A:381A0273  Ack  Psh  (536  bytes) 

226  17:55:46.820  R  I  <- R  S:381A0273  A:9EA3B3E5  Ack 

226  17:55:46.836  R  I  <- R  S:381A0273  A:9EA3B5FD  Ack 

226  17:55:46.854  T  I->R  S:9EA3BA2D  A:381A0273  Ack  Psh  (536  bytes) 

226  17:55:54.657  R  I  <- R  S:381A0273  A:9EA3B815  Ack 

226  17:55:54.673  R  I  <- R  S:381A0273  A:9EA3B815  Ack 

226  17:55:54.693  R  I  <- R  S:381A0273  A:9EA3B815  Ack 

226  17:55:54.709  R  I  <- R  S:381A0273  A:9EA3B815  Ack 

226  17:55:54.673  T  I->R  S:9EA3BC45  A:381A0273  Ack  Psh  (536  bytes) 

226  17:56:01.252  R  I  <- R  S:381A0273  A:9EA3BA2D  Ack 

226  17:56:01.268  R  I  <- R  S:381A0273  A:9EA3BC45  Ack 

226  17:56:06.830  R  I  <- R  S:381A0273  A:9EA3BE5D  Ack 

226  17:56:06.848  T  I->R  S:9EA3BE5D  A:381A0273  Ack  (536  bytes) 

226  17:56:06.999  T  I->R  S:9EA3C075  A:381A0273  Ack  Psh  (536  bytes) 
226  17:56:16.368  R  I  <- R  S:381A0273  A:9EA3C075  Ack 
226  17:56:16.384  R  I  <- R  S:381A0273  A:9EA3C28D  Ack 
226  17:56:16.385  T  I->R  S:9EA3C28D  A:381A0273  Ack  (536  bytes) 

226  17:56:16.538  T  I->R  S:9EA3C4A5  A:381A0273  Ack  Psh  (536  bytes) 

226  17:56:16.689  T  I->R  S:9EA3C6BD  A:381A0273  Ack  Psh  (536  bytes) 

226  17:56:26.979  R  I  <- R  S:381A0273  A:9EA3C4A5  Ack 

226  17:56:26.995  R  I  <- R  S:381A0273  A:9EA3C6BD  Ack 

226  17:56:26.996  T  I->R  S:9EA3C8D5  A:381A0273  Ack  Psh  (536  bytes) 

226  17:56:27.149  T  I  ->  R  S:9EA3CAED  A:381A0273  Ack  Psh  (536  bytes) 

226  17:56:35.229  R  I  <- R  S:381A0273  A:9EA3C8D5  Ack 

226  17:56:35.245  R  I  <- R  S:381A0273  A:9EA3CAED  Ack 

226  17:56:35.261  R  I  <- R  S:381A0273  A:9EA3CD05  Ack 

226  17:56:35.246  T  I->R  S:9EA3CD05  A:381A0273  Ack  (536  bytes) 

226  17:56:35.397  T  I->R  S:9EA3CF1D  A:381A0273  Ack  Psh  (536  bytes) 
226  17:56:35.549  T  I->R  S:9EA3D135  A:381A0273  Ack  Psh  (536  bytes) 
226  17:56:35.700  T  I->R  S:9EA3D34D  A:381A0273  Ack  Psh  (536  bytes) 
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226  17:57:00.236  T  I->R  S:9EA3CD05  A:381A0273  Ack  (536  bytes) 

226  17:57:36.628  R  I  <- R  S:381A0273  A:9EA3CF1D  Ack 
226  17:57:36.644  R  I  <- R  S:381A0273  A:9EA3D135  Ack 
226  17:57:36.660  R  I  <- R  S:381A0273  A:9EA3D34D  Ack 
226  17:57:36.645  T  I->R  S:9EA3CF1D  A:381A0273  Ack  (536  bytes) 

226  17:57:36.796  T  I->R  S:9EA3D135  A:381A0273  Ack  (536  bytes) 

226  17:57:36.948  T  I->R  S:9EA3D34D  A:381A0273  Ack  (536  bytes) 

226  17:57:37.100  T  I->R  S:9EA3D565  A:381A0273  Ack  Psh  (536  bytes) 

226  17:57:37.253  T  I->R  S:9EA3D77D  A:381A0273  Ack  Psh  (536  bytes) 

226  17:57:44.231  R  I  <- R  S:381A0273  A:9EA3D565  Ack 

226  17:57:44.247  R  I  <- R  S:381A0273  A:9EA3D565  Ack 

226  17:57:44.273  R  I  <- R  S:381A0273  A:9EA3D565  Ack 

226  17:57:44.248  T  I->R  S:9EA3D995  A:381A0273  Ack  Psh  (536  bytes) 

226  17:57:54.031  R  I  <- R  S:381A0273  A:9EA3D565  Ack 

226  17:57:54.047  R  I  <- R  S:381A0273  A:9EA3D77D  Ack 

226  17:57:54.064  R  I  <- R  S:381A0273  A:9EA3D995  Ack 

226  17:57:54.080  R  I  <- R  S:381A0273  A:9EA3DBAD  Ack 

226  17:57:54.065  T  I->R  S:9EA3DBAD  A:381A0273  Ack  Psh  (536  bytes) 

226  17:57:54.223  T  I->R  S:9EA3DDC5  A:381A0273  Ack  (536  bytes) 

226  17:57:54.381  T  I->R  S:9EA3DFDD  A:381A0273  Ack  Psh  (536  bytes) 

226  17:57:54.534  T  I->R  S:9EA3E1F5  A:381A0273  Ack  Psh  (536  bytes) 

226  17:58:05.334  R  I  <- R  S:381A0273  A:9EA3DDC5  Ack 

226  17:58:05.349  R  I  <- R  S:381A0273  A:9EA3DFDD  Ack 

226  17:58:05.365  R  I  <- R  S:381A0273  A:9EA3DFDD  Ack 

226  17:58:05.381  R  I  <- R  S:381A0273  A:9EA3E1F5  Ack 

226  17:58:05.350  T  I  ->  R  S:9EA3E40D  A:381A0273  Ack  Psh  (536  bytes) 

226  17:58:05.504  T  I->R  S:9EA3E625  A:381A0273  Ack  Psh  (356  bytes) 

226  17:58:11.254  R  I  <- R  S:381A0273  A:9EA3E40D  Ack 

226  17:58:11.270  R  I  <- R  S:381A0273  A:9EA3E625  Ack 

226  17:58:16.884  R  I  <- R  S:381A0273  A:9EA3E789  Ack 

226  18:02:31.143  R  I  <- R  S:381A0273  A:9EA3E789  Ack  Psh  (  93  bytes) 

226  18:02:31.186  T  I->R  S:9EA3E789  A:381A02D0  Ack 
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226  18:02:31.186  R  I<-R  S:381A02D0  A:9EA3E789  Ack  Fin 
226  18:02:31.198  T  I->R  S:9EA3E789  A:381A02D0  Ack  Fin 
226  18:02:31.211  T  I->R  S:9EA3E78A A:381A02D1  Ack 
226  18:02:38.350  R  I<-R  S:381A02D1  A:9EA3E78A  Ack 
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